locked
The server certificate store for holding partner certificates is full RRS feed

  • Question

  • This is related to

    http://tst.social.technet.microsoft.com/Forums/en-US/ocsedge/thread/f883f66c-e5ba-4d5c-9af0-569684be8c70

    Two questions

    1. What is the impact? ie when this area becomes full what happens?

    2. In the related article it appears to suggest that a fix is  http://support.microsoft.com/kb/933430. This increase the buffer from 12k to 16K (The hotfix increases the Schannel security buffer). So at the moment I am seeing 1000 certificates, it sounds like the fix would raise this limit to 1300 certificates which doesn't sound like a fix just putting off the problem.

    Any thoughts appreciated on this.

    Regards

    Full error

    Event ID 14374

    The server certificate store for holding partner certificates is full.

    The number of certificates written to the store (RtcSrv\Accepted Certificates) reached the configured limit. No more certificates will be written to the store until the next restart.

    Cause: The server certificate store for holding peer certificates already has the maximum number of certificates permitted by configuration.

    Resolution:

    Delete the certificates from that store using Certificate Manager or using the LCSCertUtil tool supplied as part of the resource kit.


    Alistair

    Monday, April 2, 2012 10:58 AM

All replies

  •  

    Hi,

    To be authenticated by the server, the client must have a certificate that is present in the chain of certificates to a root certificate from the server's list. If the certificate is not stored in the server, Clients cannot connect to the server. When it happens in IE, you can’t connect the web service in the server.

    The fix won’t put off the problem if you exceed the limit. You could only try the three workarounds mentioned in the fix article you mentioned.

    Hope helps,

    Lisa

    Tuesday, April 3, 2012 7:27 AM
  • Thanks for the reply.

    The certificate store the error relates to is "RtcSrv\Accepted Certificates" ie not the normal Trusted certificate authorities.

    So if you could expand on how this is used and the impact of it being full.

    Also the fixes mentioned don't appear to be applicable.

    So any advice gatefully received.


    Alistair

    Tuesday, April 3, 2012 9:41 AM
  • Hi,

    The directory RtcSrv is specified for certificates for Lync frond end service.

    If the error occurs, you can’t connect Lync server.

    Regards,

    Lisa

    Monday, April 9, 2012 8:22 AM
  • Hello Alistair, I ran into event 14374 today on OCS 2007 R2 and temporarily resolved it as follows. (replace "Office Communicattions Server Access Edge" with "Lync Server Access Edge" in step 2 if for a Lync Edge):

    1. Stop all Edge Services.

    2. Start-> Run mmc. File -> Add/Remove Snap-in... -> Add... -> Certificates (Add) -> Service Account (Next, Next) -> Office Communicattions Server Access Edge (Finish) -> Close -> OK.

    3. In the mmc, navigate to RtcSrv\Accepted Certificates -> Certificates. Select all certificates, then select delete and exit the mmc.

    4. Reboot the Edge server

    Once the Edge services are running, Federated communications worked as expected from the moment that the access edge service started. However, I just happened to notice that the "RtcSrv\Accepted Certificates" store did not begin to populate the certificates of the federated partners that are actively being used until the access edge service had been running for at least 30 minutes. All Edge services worked fine.

    This, of course, is not a permanent fix but it will alleviate the issue for hopefully a long period of time until a better solution is found.

    I know that Microsoft is Federated with more than 1000 OCS or Lync domains and I can only guess that they have had this issue in the past and have already found a better solution than mine. If you have Microsoft Technical Account Manager you should ask them to find out how this issue is handled internally within Microsoft.

    Henry

    • Proposed as answer by HJC1 Monday, May 6, 2013 6:48 PM
    Sunday, June 10, 2012 8:28 AM
  • I am still running Microsoft Lync 2010 and continue to have to remove the certification. Have you upgraded to Microsoft Lync 2013 yet? If so, do you still experience this issue or has it been resolved?

    I have uploaded a workaround to my GitHub profile. You can set this up to run regularly via Task Scheduler or just run the PowerShell script directly as and when you need to.

    https://github.com/stuartminch/RemoveLyncCerts






    • Proposed as answer by StuartTM Saturday, August 29, 2015 7:45 AM
    • Edited by StuartTM Wednesday, September 9, 2015 5:32 AM
    Saturday, August 29, 2015 7:30 AM